ClassroomIO Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Admin Endpoints

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in ClassroomIO version 0.1.13. This vulnerability enables students to access sensitive admin and teacher endpoints by manipulating course IDs in URLs. As a result, there is an unauthorized disclosure of sensitive data related to courses, administrators, and students. The information leak occurs briefly before the system restores normal access restrictions.

Impact

Exploitation of this vulnerability leads to unauthorized access to admin-only data and endpoints, allowing for a temporary but sensitive information leak before access restrictions are reapplied.

Reproduction

To reproduce this vulnerability, log in as an admin and create a course with enrolled students. Access the admin endpoints for the course to verify that the data is visible. Then, log in as a student, join the course, and note that admin data is not accessible through the user interface. After obtaining the course ID, manually access the admin endpoints by crafting URLs that include the manipulated course ID. The system will initially respond with the admin data, creating a momentary leak before reverting to the normal access restrictions.